Branch data Line data Source code
1 : : /*
2 : : * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 : : *
4 : : * Licensed under the Apache License, Version 2.0 (the "License").
5 : : * You may not use this file except in compliance with the License.
6 : : * A copy of the License is located at
7 : : *
8 : : * http://aws.amazon.com/apache2.0
9 : : *
10 : : * or in the "license" file accompanying this file. This file is distributed
11 : : * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 : : * express or implied. See the License for the specific language governing
13 : : * permissions and limitations under the License.
14 : : */
15 : :
16 : : #include "tls/s2n_signature_algorithms.h"
17 : :
18 : : #include "crypto/s2n_fips.h"
19 : : #include "crypto/s2n_rsa_pss.h"
20 : : #include "error/s2n_errno.h"
21 : : #include "tls/s2n_auth_selection.h"
22 : : #include "tls/s2n_cipher_suites.h"
23 : : #include "tls/s2n_connection.h"
24 : : #include "tls/s2n_kex.h"
25 : : #include "tls/s2n_security_policies.h"
26 : : #include "tls/s2n_signature_scheme.h"
27 : : #include "utils/s2n_safety.h"
28 : :
29 : : static S2N_RESULT s2n_signature_scheme_validate_for_send(struct s2n_connection *conn,
30 : : const struct s2n_signature_scheme *scheme)
31 : 147714 : {
32 [ - + ][ # # ]: 147714 : RESULT_ENSURE_REF(conn);
33 : :
34 : : /* If no protocol has been negotiated yet, the actual_protocol_version will
35 : : * be equivalent to the client_protocol_version and represent the highest
36 : : * version supported.
37 : : */
38 [ + + ][ + - ]: 147714 : RESULT_ENSURE_GTE(conn->actual_protocol_version, scheme->minimum_protocol_version);
39 : :
40 : : /* QUIC only supports TLS1.3 */
41 [ + + ][ + + ]: 143563 : if (s2n_connection_is_quic_enabled(conn) && scheme->maximum_protocol_version) {
42 [ + - ][ + - ]: 96 : RESULT_ENSURE_GTE(scheme->maximum_protocol_version, S2N_TLS13);
43 : 96 : }
44 : :
45 [ - + ]: 143467 : if (!s2n_is_rsa_pss_signing_supported()) {
46 [ # # ][ # # ]: 0 : RESULT_ENSURE_NE(scheme->sig_alg, S2N_SIGNATURE_RSA_PSS_RSAE);
47 : 0 : }
48 : :
49 [ - + ]: 143467 : if (!s2n_is_rsa_pss_certs_supported()) {
50 [ # # ][ # # ]: 0 : RESULT_ENSURE_NE(scheme->sig_alg, S2N_SIGNATURE_RSA_PSS_PSS);
51 : 0 : }
52 : :
53 : 143467 : return S2N_RESULT_OK;
54 : 143467 : }
55 : :
56 : : static bool s2n_signature_scheme_is_valid_for_send(struct s2n_connection *conn,
57 : : const struct s2n_signature_scheme *scheme)
58 : 111913 : {
59 : 111913 : return s2n_result_is_ok(s2n_signature_scheme_validate_for_send(conn, scheme));
60 : 111913 : }
61 : :
62 : : static S2N_RESULT s2n_signature_scheme_validate_for_recv(struct s2n_connection *conn,
63 : : const struct s2n_signature_scheme *scheme)
64 : 35801 : {
65 [ - + ][ # # ]: 35801 : RESULT_ENSURE_REF(scheme);
66 [ - + ][ # # ]: 35801 : RESULT_ENSURE_REF(conn);
67 : :
68 [ + + ]: 35801 : RESULT_GUARD(s2n_signature_scheme_validate_for_send(conn, scheme));
69 : :
70 [ + + ]: 35777 : if (scheme->maximum_protocol_version != S2N_UNKNOWN_PROTOCOL_VERSION) {
71 [ + + ][ + - ]: 3334 : RESULT_ENSURE_LTE(conn->actual_protocol_version, scheme->maximum_protocol_version);
72 : 3334 : }
73 : :
74 [ - + ][ # # ]: 35096 : RESULT_ENSURE_NE(conn->actual_protocol_version, S2N_UNKNOWN_PROTOCOL_VERSION);
75 [ + + ]: 35096 : if (conn->actual_protocol_version >= S2N_TLS13) {
76 [ + - ][ + + ]: 28178 : RESULT_ENSURE_NE(scheme->hash_alg, S2N_HASH_SHA1);
77 [ + - ][ + + ]: 28177 : RESULT_ENSURE_NE(scheme->sig_alg, S2N_SIGNATURE_RSA);
78 : 28177 : }
79 : :
80 : 35094 : return S2N_RESULT_OK;
81 : 35096 : }
82 : :
83 : : static bool s2n_signature_scheme_is_valid_for_recv(struct s2n_connection *conn,
84 : : const struct s2n_signature_scheme *scheme)
85 : 35801 : {
86 : 35801 : return s2n_result_is_ok(s2n_signature_scheme_validate_for_recv(conn, scheme));
87 : 35801 : }
88 : :
89 : : static S2N_RESULT s2n_signature_algorithms_get_legacy_default(struct s2n_connection *conn,
90 : : s2n_mode signer, const struct s2n_signature_scheme **default_sig_scheme)
91 : 356 : {
92 [ - + ][ # # ]: 356 : RESULT_ENSURE_REF(conn);
93 [ - + ][ # # ]: 356 : RESULT_ENSURE_REF(default_sig_scheme);
94 : :
95 : 356 : s2n_authentication_method auth_method = 0;
96 [ + + ]: 356 : if (signer == S2N_CLIENT) {
97 [ - + ]: 5 : RESULT_GUARD_POSIX(s2n_get_auth_method_for_cert_type(
98 : 5 : conn->handshake_params.client_cert_pkey_type, &auth_method));
99 : 351 : } else {
100 [ # # ][ - + ]: 351 : RESULT_ENSURE_REF(conn->secure);
101 [ - + ][ # # ]: 351 : RESULT_ENSURE_REF(conn->secure->cipher_suite);
102 : 351 : auth_method = conn->secure->cipher_suite->auth_method;
103 : 351 : }
104 : :
105 [ + + ]: 356 : if (auth_method == S2N_AUTHENTICATION_ECDSA) {
106 : 142 : *default_sig_scheme = &s2n_ecdsa_sha1;
107 : 214 : } else {
108 : 214 : *default_sig_scheme = &s2n_rsa_pkcs1_md5_sha1;
109 : 214 : }
110 : 356 : return S2N_RESULT_OK;
111 : 356 : }
112 : :
113 : : S2N_RESULT s2n_signature_algorithm_recv(struct s2n_connection *conn, struct s2n_stuffer *in)
114 : 3271 : {
115 [ # # ][ - + ]: 3271 : RESULT_ENSURE_REF(conn);
116 : :
117 : 3271 : const struct s2n_signature_scheme **chosen_sig_scheme = NULL;
118 : 3271 : s2n_mode peer_mode = S2N_PEER_MODE(conn->mode);
119 [ + + ]: 3271 : if (peer_mode == S2N_CLIENT) {
120 : 129 : chosen_sig_scheme = &conn->handshake_params.client_cert_sig_scheme;
121 : 3142 : } else {
122 : 3142 : chosen_sig_scheme = &conn->handshake_params.server_cert_sig_scheme;
123 : 3142 : }
124 : :
125 : : /* Before TLS1.2, signature algorithms were fixed instead of negotiated */
126 [ + + ]: 3271 : if (conn->actual_protocol_version < S2N_TLS12) {
127 : 175 : return s2n_signature_algorithms_get_legacy_default(conn, peer_mode, chosen_sig_scheme);
128 : 175 : }
129 : :
130 : 3096 : uint16_t iana_value = 0;
131 [ + - ][ + + ]: 3096 : RESULT_ENSURE(s2n_stuffer_read_uint16(in, &iana_value) == S2N_SUCCESS,
132 : 3095 : S2N_ERR_BAD_MESSAGE);
133 : :
134 : 3095 : const struct s2n_signature_preferences *signature_preferences = NULL;
135 [ - + ]: 3095 : RESULT_GUARD_POSIX(s2n_connection_get_signature_preferences(conn, &signature_preferences));
136 [ - + ][ # # ]: 3095 : RESULT_ENSURE_REF(signature_preferences);
137 : :
138 [ + + ]: 19566 : for (size_t i = 0; i < signature_preferences->count; i++) {
139 : 19557 : const struct s2n_signature_scheme *candidate = signature_preferences->signature_schemes[i];
140 : :
141 [ + + ]: 19557 : if (candidate->iana_value != iana_value) {
142 : 16470 : continue;
143 : 16470 : }
144 : :
145 [ + + ]: 3087 : if (!s2n_signature_scheme_is_valid_for_recv(conn, candidate)) {
146 : 1 : continue;
147 : 1 : }
148 : :
149 : 3086 : *chosen_sig_scheme = candidate;
150 : 3086 : return S2N_RESULT_OK;
151 : 3087 : }
152 : :
153 [ + - ]: 9 : RESULT_BAIL(S2N_ERR_INVALID_SIGNATURE_SCHEME);
154 : 9 : }
155 : :
156 : : static S2N_RESULT s2n_signature_algorithms_validate_supported_by_peer(
157 : : struct s2n_connection *conn, uint16_t iana)
158 : 6325 : {
159 [ # # ][ - + ]: 6325 : RESULT_ENSURE_REF(conn);
160 : :
161 : 6325 : const struct s2n_sig_scheme_list *peer_list = &conn->handshake_params.peer_sig_scheme_list;
162 [ + + ]: 35886 : for (size_t i = 0; i < peer_list->len; i++) {
163 [ + + ]: 35745 : if (peer_list->iana_list[i] == iana) {
164 : 6184 : return S2N_RESULT_OK;
165 : 6184 : }
166 : 35745 : }
167 : :
168 [ + - ]: 141 : RESULT_BAIL(S2N_ERR_NO_VALID_SIGNATURE_SCHEME);
169 : 141 : }
170 : :
171 : : static bool s2n_signature_algorithm_is_supported_by_peer(
172 : : struct s2n_connection *conn, uint16_t iana)
173 : 6325 : {
174 : 6325 : return s2n_result_is_ok(s2n_signature_algorithms_validate_supported_by_peer(conn, iana));
175 : 6325 : }
176 : :
177 : : S2N_RESULT s2n_signature_algorithm_select(struct s2n_connection *conn)
178 : 6740 : {
179 [ - + ][ # # ]: 6740 : RESULT_ENSURE_REF(conn);
180 [ - + ][ # # ]: 6740 : RESULT_ENSURE_REF(conn->secure);
181 : 6740 : struct s2n_cipher_suite *cipher_suite = conn->secure->cipher_suite;
182 [ # # ][ - + ]: 6740 : RESULT_ENSURE_REF(cipher_suite);
183 : :
184 : 6740 : const struct s2n_signature_scheme **chosen_sig_scheme = NULL;
185 [ + + ]: 6740 : if (conn->mode == S2N_CLIENT) {
186 : 146 : chosen_sig_scheme = &conn->handshake_params.client_cert_sig_scheme;
187 : 6594 : } else {
188 : 6594 : chosen_sig_scheme = &conn->handshake_params.server_cert_sig_scheme;
189 : 6594 : }
190 : :
191 : : /* No server signature is needed for RSA kex */
192 [ + + ][ + + ]: 6740 : if (conn->mode == S2N_SERVER && cipher_suite->key_exchange_alg == &s2n_rsa) {
193 [ - + ][ # # ]: 337 : RESULT_ENSURE_EQ(*chosen_sig_scheme, &s2n_null_sig_scheme);
194 : 337 : return S2N_RESULT_OK;
195 : 337 : }
196 : :
197 : : /* Before TLS1.2, signature algorithms were fixed instead of negotiated */
198 [ + + ]: 6403 : if (conn->actual_protocol_version < S2N_TLS12) {
199 [ - + ]: 181 : RESULT_GUARD(s2n_signature_algorithms_get_legacy_default(conn, conn->mode, chosen_sig_scheme));
200 : 181 : return S2N_RESULT_OK;
201 : 181 : }
202 : :
203 : 6222 : const struct s2n_signature_preferences *signature_preferences = NULL;
204 [ - + ]: 6222 : RESULT_GUARD_POSIX(s2n_connection_get_signature_preferences(conn, &signature_preferences));
205 [ - + ][ # # ]: 6222 : RESULT_ENSURE_REF(signature_preferences);
206 : :
207 : 6222 : const struct s2n_signature_scheme *fallback_candidate = NULL;
208 : :
209 : : /* We use local preference order, not peer preference order, so we iterate
210 : : * over the local preferences instead of over the options offered by the peer.
211 : : */
212 [ + + ]: 32752 : for (size_t i = 0; i < signature_preferences->count; i++) {
213 : 32714 : const struct s2n_signature_scheme *candidate = signature_preferences->signature_schemes[i];
214 : :
215 : : /* Validates that a signature is valid to choose,
216 : : * including that it's allowed by the current protocol version.
217 : : */
218 [ + + ]: 32714 : if (!s2n_signature_scheme_is_valid_for_recv(conn, candidate)) {
219 : 706 : continue;
220 : 706 : }
221 : :
222 [ + + ]: 32008 : if (s2n_is_sig_scheme_valid_for_auth(conn, candidate) != S2N_SUCCESS) {
223 : 25683 : continue;
224 : 25683 : }
225 : :
226 : : /* s2n-tls first attempts to choose a signature algorithm offered by the peer.
227 : : * However, if that is not possible, we will attempt to continue the handshake
228 : : * anyway with an algorithm not offered by the peer. This fallback behavior
229 : : * is allowed by the RFC for TLS1.3 servers and partially allowed for TLS1.2
230 : : * servers that don't receive the signature_algorithms extension, but is
231 : : * otherwise an intentional deviation from the RFC.
232 : : *
233 : : * TLS1.3 servers:
234 : : *= https://www.rfc-editor.org/rfc/rfc8446#section-4.4.3
235 : : *# If the CertificateVerify message is sent by a server, the signature
236 : : *# algorithm MUST be one offered in the client's "signature_algorithms"
237 : : *# extension unless no valid certificate chain can be produced without
238 : : *# unsupported algorithms
239 : : *
240 : : * TLS1.3 clients:
241 : : *= https://www.rfc-editor.org/rfc/rfc8446#section-4.4.3
242 : : *= type=exception
243 : : *= reason=Compatibility with hypothetical faulty peers
244 : : *# If sent by a client, the signature algorithm used in the signature
245 : : *# MUST be one of those present in the supported_signature_algorithms
246 : : *# field of the "signature_algorithms" extension in the
247 : : *# CertificateRequest message.
248 : : *
249 : : * TLS1.2 servers:
250 : : *= https://www.rfc-editor.org/rfc/rfc5246#section-7.4.3
251 : : *= type=exception
252 : : *= reason=Compatibility with known faulty peers
253 : : *# If the client has offered the "signature_algorithms" extension, the
254 : : *# signature algorithm and hash algorithm MUST be a pair listed in that
255 : : *# extension.
256 : : *
257 : : * TLS1.2 clients:
258 : : *= https://www.rfc-editor.org/rfc/rfc5246#section-7.4.8
259 : : *= type=exception
260 : : *= reason=Compatibility with hypothetical faulty peers
261 : : *# The hash and signature algorithms used in the signature MUST be
262 : : *# one of those present in the supported_signature_algorithms field
263 : : *# of the CertificateRequest message.
264 : : */
265 : 6325 : bool is_peer_supported = s2n_signature_algorithm_is_supported_by_peer(
266 : 6325 : conn, candidate->iana_value);
267 [ + + ]: 6325 : if (is_peer_supported) {
268 : 6184 : *chosen_sig_scheme = candidate;
269 : 6184 : return S2N_RESULT_OK;
270 : 6184 : }
271 : :
272 : : /**
273 : : *= https://www.rfc-editor.org/rfc/rfc5246#section-7.4.1.4.1
274 : : *# If the client does not send the signature_algorithms extension, the
275 : : *# server MUST do the following:
276 : : *#
277 : : *# - If the negotiated key exchange algorithm is one of (RSA, DHE_RSA,
278 : : *# DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA), behave as if client had
279 : : *# sent the value {sha1,rsa}.
280 : : *#
281 : : *# - If the negotiated key exchange algorithm is one of (DHE_DSS,
282 : : *# DH_DSS), behave as if the client had sent the value {sha1,dsa}.
283 : : *#
284 : : *# - If the negotiated key exchange algorithm is one of (ECDH_ECDSA,
285 : : *# ECDHE_ECDSA), behave as if the client had sent value {sha1,ecdsa}.
286 : : *
287 : : * The default scheme for DSA is not used because s2n-tls does not support DSA certificates.
288 : : *
289 : : * These defaults are only relevant for TLS1.2, since TLS1.3 does not allow SHA1.
290 : : */
291 [ + + ][ + + ]: 141 : bool is_default = (candidate == &s2n_ecdsa_sha1 || candidate == &s2n_rsa_pkcs1_sha1);
292 : :
293 : : /* If we ultimately cannot choose any algorithm offered by the peer,
294 : : * we will attempt negotiation with an algorithm not offered by the peer.
295 : : *
296 : : * The TLS1.2 RFC specifies default algorithms for use when no signature_algorithms
297 : : * extension is sent-- see the definition of is_default above.
298 : : *
299 : : * s2n-tls has encountered clients in the wild that support the TLS1.2
300 : : * default algorithms but do not include them in their signature_algorithms
301 : : * extension, likely due to a misreading of the RFC. So s2n-tls attempts
302 : : * to use the TLS1.2 defaults even when the client sends the signature_algorithms
303 : : * extension, and always treats them as the most preferred fallback option.
304 : : *
305 : : * If the TLS1.2 defaults are not possible-- for example, because TLS1.3
306 : : * or the security policy forbids SHA1-- we fallback to our own most
307 : : * preferred algorithm. In most cases a correctly implemented peer will reject
308 : : * this fallback, but the only alternative is to kill the connection here.
309 : : */
310 [ + + ]: 141 : if (is_default) {
311 : 13 : fallback_candidate = candidate;
312 [ + + ]: 128 : } else if (fallback_candidate == NULL) {
313 : 51 : fallback_candidate = candidate;
314 : 51 : }
315 : 141 : }
316 : :
317 [ + + ]: 38 : if (fallback_candidate) {
318 : 25 : *chosen_sig_scheme = fallback_candidate;
319 : 25 : } else {
320 [ + - ]: 13 : RESULT_BAIL(S2N_ERR_NO_VALID_SIGNATURE_SCHEME);
321 : 13 : }
322 : 25 : return S2N_RESULT_OK;
323 : 38 : }
324 : :
325 : : S2N_RESULT s2n_signature_algorithms_supported_list_send(struct s2n_connection *conn, struct s2n_stuffer *out)
326 : 7708 : {
327 : 7708 : const struct s2n_signature_preferences *signature_preferences = NULL;
328 [ - + ]: 7708 : RESULT_GUARD_POSIX(s2n_connection_get_signature_preferences(conn, &signature_preferences));
329 [ # # ][ - + ]: 7708 : RESULT_ENSURE_REF(signature_preferences);
330 : :
331 : 7708 : struct s2n_stuffer_reservation size = { 0 };
332 [ - + ]: 7708 : RESULT_GUARD_POSIX(s2n_stuffer_reserve_uint16(out, &size));
333 : :
334 [ + + ]: 119621 : for (size_t i = 0; i < signature_preferences->count; i++) {
335 : 111913 : const struct s2n_signature_scheme *const scheme = signature_preferences->signature_schemes[i];
336 [ - + ][ # # ]: 111913 : RESULT_ENSURE_REF(scheme);
337 [ + + ]: 111913 : if (s2n_signature_scheme_is_valid_for_send(conn, scheme)) {
338 [ - + ]: 107690 : RESULT_GUARD_POSIX(s2n_stuffer_write_uint16(out, scheme->iana_value));
339 : 107690 : }
340 : 111913 : }
341 [ - + ]: 7708 : RESULT_GUARD_POSIX(s2n_stuffer_write_vector_size(&size));
342 : :
343 : 7708 : return S2N_RESULT_OK;
344 : 7708 : }
345 : :
346 : : int s2n_recv_supported_sig_scheme_list(struct s2n_stuffer *in, struct s2n_sig_scheme_list *sig_hash_algs)
347 : 7694 : {
348 : 7694 : uint16_t length_of_all_pairs = 0;
349 [ - + ]: 7694 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &length_of_all_pairs));
350 [ - + ]: 7694 : if (length_of_all_pairs > s2n_stuffer_data_available(in)) {
351 : : /* Malformed length, ignore the extension */
352 : 0 : return 0;
353 : 0 : }
354 : :
355 [ - + ]: 7694 : if (length_of_all_pairs % 2) {
356 : : /* Pairs occur in two byte lengths. Malformed length, ignore the extension and skip ahead */
357 [ # # ]: 0 : POSIX_GUARD(s2n_stuffer_skip_read(in, length_of_all_pairs));
358 : 0 : return 0;
359 : 0 : }
360 : :
361 : 7694 : int pairs_available = length_of_all_pairs / 2;
362 : :
363 [ + + ]: 7694 : if (pairs_available > TLS_SIGNATURE_SCHEME_LIST_MAX_LEN) {
364 [ + - ]: 1 : POSIX_BAIL(S2N_ERR_TOO_MANY_SIGNATURE_SCHEMES);
365 : 1 : }
366 : :
367 : 7693 : sig_hash_algs->len = 0;
368 : :
369 [ + + ]: 115626 : for (size_t i = 0; i < (size_t) pairs_available; i++) {
370 : 107933 : uint16_t sig_scheme = 0;
371 [ - + ]: 107933 : POSIX_GUARD(s2n_stuffer_read_uint16(in, &sig_scheme));
372 : :
373 : 107933 : sig_hash_algs->iana_list[sig_hash_algs->len] = sig_scheme;
374 : 107933 : sig_hash_algs->len += 1;
375 : 107933 : }
376 : :
377 : 7693 : return 0;
378 : 7693 : }
379 : :
380 : : S2N_RESULT s2n_signature_algorithm_get_pkey_type(s2n_signature_algorithm sig_alg, s2n_pkey_type *pkey_type)
381 : 49122 : {
382 [ - + ][ # # ]: 49122 : RESULT_ENSURE_REF(pkey_type);
383 : 49122 : *pkey_type = S2N_PKEY_TYPE_UNKNOWN;
384 : :
385 : 49122 : switch (sig_alg) {
386 [ + + ]: 6421 : case S2N_SIGNATURE_RSA:
387 [ + + ]: 20239 : case S2N_SIGNATURE_RSA_PSS_RSAE:
388 : 20239 : *pkey_type = S2N_PKEY_TYPE_RSA;
389 : 20239 : break;
390 [ + + ]: 11877 : case S2N_SIGNATURE_RSA_PSS_PSS:
391 : 11877 : *pkey_type = S2N_PKEY_TYPE_RSA_PSS;
392 : 11877 : break;
393 [ + + ]: 16364 : case S2N_SIGNATURE_ECDSA:
394 : 16364 : *pkey_type = S2N_PKEY_TYPE_ECDSA;
395 : 16364 : break;
396 [ + + ]: 642 : case S2N_SIGNATURE_MLDSA:
397 : 642 : *pkey_type = S2N_PKEY_TYPE_MLDSA;
398 : 642 : break;
399 [ - + ]: 0 : default:
400 [ # # ]: 0 : RESULT_BAIL(S2N_ERR_INVALID_SIGNATURE_ALGORITHM);
401 : 49122 : }
402 : :
403 : 49122 : return S2N_RESULT_OK;
404 : 49122 : }
|
